Obligations concerning data security
(1) The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:
- a) preventing unlawful processing of personal data,
- b) preventing unlawful access to personal data,
- c) ensuring protection of personal data.
(2) In case the processing of personal data is carried out by another natural or legal person on behalf of the data controller, the data controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph.
(3) The data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organization, in order to ensure the implementation of the provisions of this Law.
(4) The data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of this Law, neither shall they use such data for purposes other than that for which the personal data have been processed. This obligation shall continue even after the end of their term of office.
(5) In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.